Password security

Easy and Secure

Most things that increase security make your life a little harder. Locks, for example, are just so tedious to deal with. The only exception to this rule that I’ve encountered is a password manager. What’s that? Oh, you don’t know? Allow me to give a sales pitch.

/clearsThroat
/adjustsTie
/longPause

Passwords are such a bore, amirite? Too long, not long enough, needs more cowbell. The umpteenth iteration of my dogs name is hard to remember. “Is it sparky22 or sparky21 on reddit…?” If you’re anything like me, you’re about 2 incorrect attempts away from launching a brick through your own window because you can’t remember that password you use once a year for TurboTax.

Calm down, dear friend! The end of your struggles is nigh. Let me show you the ways of a password manager. With this wonderful tool, of which there are many, you will only have to remember one password. Just one!

I know what you’re going to say: “but Erik, having just one password is a single point of failure. That contradicts a fundamental tenet of any secure system!”

You’re a keen bean, dear friend, but you’re missing the point. One strong point of failure is much better than many weak points of failure. Whether it’s some clever phone scammer gleaning information from you, or some script kiddie running executables they found on 4chan, your self-generated password is not hard to crack. Just take a look at the most common passwords. Or take a look at this very on point XKCD comic:

The point is that weak passwords will get you PWNed, and I bet your password is quite weak.

“Okay,” you might respond, “but I’m no dummy. No system is unbreakable, and a vault of a bajillion passwords is the holy grail for a malicious user. Why would I put my precious password in that vault?”

Ah, I see your distrust runs as deep as my own. You are right to scorn all commercial attempts at increasing security. Let’s take a look at our DIY options here.

Locals Only

I use Pass because it keeps my passwords on my local machine, and off of some service that could, and probably will, get hacked. What’s more secure about my local machine than, say, LastPass’ server? Absolutely
nothing, but that’s beside the point. We are not trying to build the most secure, unbreakable system here; we are simply trying to not be the lowest hanging fruit.

There are probably other options for locally managed password stores, but the point of this post is not to compare and contrast them all. The point of this post is to show you that a little bit of work up front will make your password life way easier. Have a better solution than Pass? Send an email to blog [at] this domain and I’d be happy to hear about it.

GPG? PGP? WTF? IDFC!

Be mellow, there’s no need to curse. Some alphabet soup follows, so take a deep breath and don’t worry if you can’t remember everything in this section.

A password manager’s main purpose is to protect passwords for easy access and use by the owner, and no one else. This is accomplished by encrypting all stored passwords.

Pass uses GPG to encrypt and decrypt passwords. What is GPG? Its GNU’s version of the PGP standard (or software suite). PGP stands for “pretty good privacy.” These are general purpose encryption tools/standards used in a variety of contexts. Pass, like any good unix tool, prioritizes modularity, so it makes you manage your own private key. It does one thing, manage passwords, and it does it well.

“Ugh,” moans the weary reader, “I have to set up a private key and learn about this PGP standard? But I don’t have time to–”

Stop, stop, stop your whining. You don’t really have much to do, this blog post will ELI5 how to set up a fully bomber GPG keypair: Creating the perfect GPG keypair. Don’t set it to expire and you can pretty much forget anything your learned about encryption… but, I mean, you should read up… educate yourself, it’s empowering.

Install and Use Pass

This is it! Go over to Pass’ website and follow the install instructions for your operating system.

Tips

Git

This does subvert the “keep it local” idea, but everything remains encrypted in transit and at rest. Most importantly we are not a part of the aforementioned “hacker holy grail” of a LastPass server.

I track my passwords in a private github repository. So in my root folder I have a folder .password-store with a .git folder within that. This allows me to easily revert passwords to a previous version (in case I made a goof) and it allows me to keep passwords synced between my various devices.

Whenever I move to a new machine, I run a script to populate it with all the tools I use and customizations I prefer. The portion of this concerning pass looks like so:

sudo apt install pass
mkdir ~/.password-store
cd ~/.password-store
git clone git@github.com:<password-repository-url-goes-here>

but on a fresh install of pass, just use

pass git init
pass git remote add origin <password-repository-url-goes-here>

This is another thing pass goes very well: wrapping git without restricting it. Use any git command! Just preface it with pass and it will apply to your password repository. Remember to make that repository private though!

Multiline Passwords

Given the -c flag, Pass will copy the password to the clipboard momentarily. Note that this will only copy the first line though! So you can put notes (i.e. security question answers) after the first line of the password file.

Everyday Usage

1. Copy a password to the clipboard:

   pass -c path/to/my/password
   

   • note that the path listed will be relative to ~/.password-store
2. Generate a new password

   pass generate my/new/password 32 -c
   

   • I always use super long passwords, because I don’t have to memorize them!
   • Use the -c flag again here to copy it to the clipboard immediately

So… what did we do here… and why?

1. install a password manager, Pass
   • what is it?
     • manages passwords, keeping them encrypted at rest
     • configured it with git to keep in sync between all devices
     • delegates encryption to GPG like a good unix tool
   • why did we choose this?
     • follows the Unix philosophy
   • this enables it to play it’s small part in our secure system - it keeps passwords encrypted at rest and in transit
   • since it uses git, that transit can be SSL and authenticated into via an SSH key
2. create a secure private and public keypair
   • what is it?
     • alphabet soup that amounts to basic asymetric cryptography
     • a master-key / sub-key setup that will allow us to respond to a lost or stolen private key scenario a little easier
   • why did we do this?
     • pass doesn’t handle encryption

Now you only have to memorize one password ever again! Keep that private key safe…

Next Up

Next post I will talk about a way to make working with Pass even easier!